Wednesday, June 5, 2019
Different Types Of Network Devices
antithetic Types Of Ne dickensrk DevicesInfrastructure shelter dep mop ups on the correct use of the electronic earnings components. Ne iirk components argon an inbred aspect of the computing environment to improve the performance and protective covering. The interlocking components such as routers, switches and line of businesss attribute to the fire fences and gateways that manage communication from the profit design to the protocols employed.If security fails then the availability of the system fails. Security failures understructure occur in two ways as follows1. Sometimes un authorise substance abusers adit the resources and data, which they are non authorised to use.2. Security failure prevents the user from plan of attacking the resources and data, the user is authorised to use.Both these security failures are serious. Hence, primary goal of network chthonicstructure security is to allow all authorised usage and deny all unauthorised usage of resources.8.2 DevicesTodays business environment consists of non scarce lymph glands and servers further in any(prenominal) case network cunnings that are required to connect them. These network devices are called communication devices. These devices are hubs, switches, routers, local area network cards, gateway, modem, computer hardware firewall and so on. This also includes radiocommunication nark points, special-purpose devices such as Virtual Private Network (VPN) devices. each of these devices has a specific network functions and plays an big role in maintaining network infrastructure security.8.2.1 WorkstationsThe workstations are client computers in the client-server architecture. This device is utilize to send and receive email, to create spreadsheets, to write report in a word processing program and to play game. more than threats to cultivation security can start at a workstation when it is connected to a network.Workstation security can be maintained by following grassr oots steps as followsRemove all share point that is not required.Rename the administrator account and secured it with a strong word of honor.Remove unnecessary user accounts.Install an anticomputer virus program and keep it updated.Disable USB ports in CMOS settings to restrict data transfer through USB devices.Install firewall between the machine and the Internet.Install latest fixing for the operating system (OS) and keep the OS up to date.8.2.2 ServersServers are the computers in a network that host applications and data for users to share. Servers are available in numerous sizes, from small single CPU systems to multiple CPU systems such as central processor computers. Servers use operating system such as Windows Server, Linux, UNIX and separate mainframe operating systems. Server OS is more robust than the workstation OS and is designed to service multiple users over a network at the aforementioned(prenominal) time. Workstation security basic steps are applicable to serve r as well(p).8.2.3 Network Interface CardsNetwork Interface Card (NIC) is a hardware device used to connect a server or workstation to a network. A NIC is used for particular type of network confederacy, either ethernet or token ring. In local area networks, ethernet protocol is the most coarse network type in use and RJ-45 is most car park connector.A NIC is the physical connection between a computer and the network. NICs are available as single-port and multiport NIC. Workstation use single-port NIC, as only a single network connection is required. Whereas, server use multiport NIC to attach the number of network connections that increases the data throughput to and from the network. Every NIC has a 48-bit unique number, referred to as a Media Access Control (MAC) address which is lay ind in Read Only remembering (ROM). MAC address is used in the addressing and delivery of network packets to the correct system.8.2.4 HubsHub is a central connecting device in a computer netwo rk. It connects multiple machines in concert in a star configuration with the hub as the centre. Hub broadcasts all data packets that are received, to all LAN cards in a network. The intended telephone receiver picks the data and all other computers discard the data packets. Hub has five, eight, sixteen and more ports. One of the ports is called up bind port and this port is used to connect with the next hub.8.2.5 connectBridges operate at the data link form of the OSI role model. Bridges check the incoming traffic and decide whether to ship or discard it.8.2.6 SwitchesSwitches are a type of networking device similar to hubs, which connect network equipment together. In todays high-performance network environment switches buzz off re sayd both hubs and bridges. Switches operate at the data link layer of the OSI model. It uses MAC address of network cards to route packets to the correct port.Switches are intelligent network devices and are therefore can get hijacked by hackers. S witches are administered employ the Simple Network Management Protocol (SNMP) and telnet protocol. Both the protocols have a serious weakness. These two protocols send passwords across the networks in crown text. In such instances hacker can capture the administrative password. The major problem with the switch is that it ship with default passwords. If user does not change this password during setup, hacker can easily access it.Caution To secure a switch, disable all access protocols other than a secure protocol such as Secure Shell (SSH). Use only secure methods to access switch depart limit the exposure to hackers and malicious users.8.2.7 RoutersRouter connects two or more computer networks and then exchanges packets of data between them. Each data packet acquires address knowledge that a router can use to determine if the source and endpoint are on the same network, or if the data packet must be transferred from one network to another. Routers operate at the network layer of the OSI model. It has two or more network interfaces through which network traffic is forwarded or blocked. They are used to segment networks into smaller subnets or to link multiple networks together. The router decides how and when to forward packets between the networks based on an cozy routing table. Routing table tells the router which packets to forward.Routers allow technicians to explicitly deny round packets the ability to be forwarded between segments. For example, informal security shoot a lines of some routers can prevent users on the internal network from using telnet to access external system. Telnet is always a security risk as the passwords and all communications are transmitted in clear text. Hence, do not create telnet sessions between the internal network and an external network.Router has the ability to block spoofed packets. Spoofed packets are packets that contain an IP address in the header which is not the actual IP address of the source computer. Hac kers used this technique to fool the systems showing that the packet came from an authorised system whereas, it actually came from the hackers system. Router has the ability to drop such packets.Routers are available in various sizes, small and big and from different vendors. Small router is used with cable modem and DSL service. (Figure). Larger routers handle traffic of up to tens of gigabytes per second per channel, using fibre optic cables and moving tens of thousands of concurrent Internet connections across the network.8.2.8 FirewallsA firewall is hardware or a software program that is used to protect an internal network from outside intruders. It is much like a wall with a window. The wall keeps things out, except those permitted through the window. (Figure.). Network security policies act like a glass in the window. Security policies define what traffic is permissible and what traffic is to be blocked or denied. For example, Web server connected to the Internet may be confi gured to allow traffic only on port 80 for HTTP and have all other ports blocked. Firewall allows only the necessary access for a function, and block or denies all unnecessary functions.8.2.9 tunerIn wireless device, communicate waves or infrared carry data, that allows anyone within range access to the data. Placing a wireless device behind the firewall does not serve, as firewall stops only physically connected traffic from reaching the device.The devices associated with wireless networking are wireless access points. The wireless network cards are used to communicate with the access points. (Figure). Wireless access points have a limited range within which they can communicate with the client systems. When planning a wireless implementation within a new construction, make sure that the external walls contain metal studs that are grounded. Create wireless shield by using thin layers of aluminium under the drywall. This will block radio transmission into and out of the building. This will also interfere with pager and cellular phone usage.Note Applying secure transmission protocols and configuring the wireless access point to only accept authorised connections will help in securing a network.8.2.10 ModemsModulator and Demodulator (Modem) converts ana lumberue signals to digital and vice versa. Modems are slow up method of away connection that is used to connect client computers to remote services over standard telephone lines. Modems are becoming less necessary, but many corporate systems still have modems installed for remote access.In corporate network, modems are located in Remote Access Service (RAS) servers and fax servers. somatic users remotely access their system configuring modem in their PC. This is done when no other remote access solution is available or the existing remote access solution is inconvenient. These types of situations can grant an intruder the entry point to a network. The best solution to avoid this is to implement a security policy to supremacy the installation of modems on corporate systems. Also verify that systems which need modems are properly secure.8.2.11 Telecom/PBXIn the IT security field Telecommunication (Telecom) is often overlooked. nearly small companies use a small number of dedicated telephone lines for both incoming and outgoing calls. However, in larger companies having dedicated lines for thousands of employees is both incompetent and expensive. Hence, to overcome these problems install a Private Branch eXchange (PBX).A PBX is a device that handles routing of internal and external telephone lines. This allows a company to have limited number of external lines and an unlimited number of internal lines. PBX systems are cost beneficial to large companies but they also have their own vulnerabilities. PBX s is designed to be maintained by an offsite vendor and therefore have remote access available. The remote access can be through a modem or through a LAN. Hence, disable these remote ac cess methods to limit the susceptibility to direct remote access attacks until the vendor is notified that they need to perform fear or prepare an update.8.2.12 RASRemote Access Service (RAS) connects the client and server through a dial-up telephone connection. It is slower than cable and Digital proofreader line (DSL) connection. When a user dials into the computer system, authentication and authorisation are performed through a remote access protocols. RAS servers offer security feature such as mandatory callback. This allows server to call back to the client at a set of telephone number for the data exchange.For more information on remote access protocols refer chapter 9, Authentication and Remote Access8.2.13 VPNVPN allows users to create a secure tunnel through an unsecured network to connect to their corporate network. In large environments, VPNs are less expensive to implement and maintain than RAS servers, because there is no incoming telephone line or modem. In addition, a higher level of security can be implemented as communications are encrypted to create a secure tunnel.8.2.14 attack Detection Systems usurpation Detection Systems (IDS) is a device designed to monitor network or system activities for malicious activities or policy violations. They are an essential part of network security. There are two main types of IDS that are used network-based IDS and host-based IDS.For more information on intrusion detection systems refer chapter 11, Intrusion Detection Systems8.2.15 Network Access ControlNetwork Access Control is a method of network security that restricts the availability of network resources to endpoint devices as defined in the security policy. There are two main competing methodologies exist Network Access Protection ( tidy sum) and Network Admission Control (NAC). NAP is a Microsoft technology that defys network access of a computer host whereas, NAC is Ciscos technology that controls network admission.8.2.16 Network Monitoring or D iagnosticThe computer network needs continuous monitoring or diagnostic routine to keep administrators aware of the status of the network and allow them to take corrective actions to potential problems. This can be done through monitoring software or dedicated devices located on the network. Network monitoring or diagnostic equipment that is remotely hearty uses strong password and encrypted sessions to handle security vulnerabilities.8.2.17 Mobile DevicesMobile phones and Personal Digital Assistants (PDAs) are the latest devices used to send and receive e-mail, connect to remote network applications, browsing the Web and so on. Many of the devices have word processor and spreadsheet applications and the ability to store limited amounts of data. Since these devices can be connected to the Internet, they are remotely accessible to potential attackers. Hence, use data encryption which is available in newer mobile devices built into their OS or use third-party software.8.3 MediaMedia is used for transmit data to and from network devices. The media can be either in the form of wire, fibre or radio frequency waves. There are four common methods used to connect devices at the physical layer as followsCoaxial Cable move-pair Cable eccentric OpticsWirelessCoaxial Cable Coaxial cables are used for cabling televisions, radio sets and computer networks. The cable is referred to as coaxial because both the centre wire and the braided metal shield share a common axis. It is less susceptible to interference. Today, coaxial cable is replaced by faster and cheaper whatchamacallited-pair cable.UTP/STP Twisted pair cables replaced coaxial cables in ethernet networks. Single pairs of twisted cables reduce electrical crosstalk and electromagnetic interference. Multiple groups of twisted pairs are then bundled together and easily wired between devices. Twisted pairs are of two types Unshielded Twisted Pair (UTP) and Shielded Twisted Pair (STP). STP has a foil shield around t he pairs to provide extra shielding from electromagnetic interference. Whereas, in UTP twist itself eliminates interference.Depending upon the data transmission, twisted pair cables are classified into iii different categories as follows category 3 (Cat 3) It is used for data and voice transmission and for 10Mbps Ethernet.Category 5 (Cat 5/ Cat 5e) It is used for 100 Mbps fast ethernet. Cat 5e is an enhanced version of the Cat 5 specification to address far end crosstalk.Category 6 (Cat 6) It is used for gigabit ethernet.Fibre Fibre is a very thin piece of glass or plastic that has been stretched out and enclosed in a sheath. Fibre optic cable uses beams of laser light to connect devices. It transfers data over long distances and at higher speeds. Since it does not contain any metal part to conduct current, it is not vulnerable to electromagnetic interference. This also protects it from lightening strikes. Two major drawbacks using these cables are their high cost. Other drawba ck is the connection has to be optically perfect or performance will be downgraded or the cable may not work.FigureUnguided Media Unguided media does not use any physical connector between the two devices for communication. The data transmission and reception is through the air or antenna and is referred to as wireless. The three types of wireless media are as followsRadio wavesMicrowavesInfrared waves8.4 Transmission Media Security8.5 Removable MediaRemovable media is a type of storage device that can be removed from a computer while the system is running. These media introduces virus when they are attached back to the network. Theft or loss of organisation secret information stored on a media can be severe financial problem or it will effect on organisations reputation. These issues can be rectified by using security policies and software. The removable media are of three types magnetic, optical and flash memory.Magnetic Media Magnetic media devices are hard drives, floppy turn s, zip disks and magnetic tape. Each device is sensitive to external magnetic field. These devices are also affected by the high temperatures and by exposure to water.For the security concern about the lively and important organisational data, do not allow users to bring floppy disk inside the organisation, as they could contain viruses or other malicious programs. Another security policy can be applied by removing floppy disk drive from users computers. Encrypting the contents of a hard drive and tape ensures the security of data. visual Media Optical media such as CD, DVD, blu-ray and optical jukebox hold the data in digital form. The data on the physical media is read and write by laser. Optical disks are not vulnerable to magnets hence, they are more reliable and durable than the magnetic tape. CDs are very vulnerable to being scratched. If the plastic disk from the media is scratched too much, the laser will be unable to reflect through the plastic and the data will not be re adable. For security of data, do not allow personal CDs inside office premises. Only authorised users should have the access to these devices and for other users these devices should be disabled or physically removed from the computers.electronic Media The electronic media uses integrated circuit technology to store the data hence they are more stable. Since these devices are small and portable, they can be used to store limited amounts of data when portability or reliability are key necessities. Smart cards, flash cards, memory sticks and CompactFlash devices are examples of electronic media. These devices are commonly used in digital cameras, mobile phones, MP3 player, video game consoles and so on. These devices are also used to transfer data between computers. Hence, they can easily carry the virus and worms with data. For security purpose run the antivirus software before transferring any data.8.6 Security TopologiesMultiple hardware devices are connected within a network and a key characteristics of a network is its layout or topology. Security topology is implemented in such a way that it provides the internal security and public access. For example, to place an online order the organisation will require Web servers which can be accessed by the users. Then the Web servers will require access to internal database servers and internal users will require access to different servers and Internet.8.6.1 Security ZonesModern secure network have different layers of protective cover with outermost layer provides basic protection and the innermost layer provides the highest level of protection. Trade-offs between access and security are handled through zones with successive zones reticent by firewalls. The outmost zone is the Internet is guarded by the firewall. The internal secure corporate network and the Internet is an area where computers are considered at risk. This zone is called as Demilitarised Zone (DMZ).DMZ DMZ acts as a buffer zone between the Inte rnet and organisations internal secure network. To differentiate the zones, a firewall is placed at both sides of the DMZ. The firewalls are placed in such a way that the Internet users cannot directly access the organisations secure data (Refer to Figure ).Web servers, remote access server and external e-mail servers are fall in DMZ area. Domain name servers and database servers which has organisation important data should not be accessible to the Internet users. As well as application servers, file servers and print servers of sure network zone should be placed behind both the firewalls. The main idea behind using the DMZ topology is to force an outside user to get across DMZ before user can access information inside the certain network zone.Internet The Internet is a worldwide connection of networks. It is used to transfer e-mail, Web pages, files, financial records between networks. It is an untrusted network as it is not thinkable to apply security policies. Hence a firewal l should be present between organisations trusted network and the Internet.Intranet Intranet resides inside the trusted area of a network and network administrators can manage its security. Intranet Web servers contents are not available to the Internet users. The organisation data can be published to outside users with two methods as follows1. Information can be duplicated onto computers in the DMZ so that untrusted users can access it2. Extranets can be used to publish data to trusted users.Extranet Extranet allows outside users such as companys partners, vendors, customers and resellers to share some of the business information with authentication and authorization. Extranet allows to access data available on the intranet mainly in the DMZ. To provide security and privacy of the information, extranet requires firewall server management or digital certificates or user authentication, encryption of messages. To protect it from unauthorised access use the VPN.VLAN Virtual LAN (VL AN) is network of computers and these computers are connected to the same broadcast domain, even though they are physically located on different location. VLAN s are configured through software hence they are more flexible. When system is physically moved to different location, without any hardware reconfiguration the system stay on the same VLAN. Increased network performance, easy manageability, less configurations and higher security is the advantages of VLAN.Note A broadcast domain is a network (or portion of a network) that will receive a broadcast packet from any node located within that network.NAT Network Address Translation (NAT) is developed by Cisco. It is commonly used in TCP/IP network. It works at OSI layer 3 which is network layer. It uses two sets of IP addresses, one set for internal use and other for external use.NAT is a feature of firewalls, proxies and routing capable systems. It has ability to hide the IP address and the internal network from the Internet user s. This feature of NAT reduces the risk of strangers to collect important information about the network such as structure of a network, the network layout, the names and IP address of systems, and so on. Hence, they cannot gain access of the network.NAT enables internal users within an organisation to use nonroutable IP addresses which means that these IP addresses will not be routed across the Internet. These IP address is called cloak-and-dagger IP address.The private address ranges are as followsClass A 10.0.0.0 10.255.255.255Class B 172.16.0.0-172.31.255.255Class C 192.168.0.0- 192.168.255.255After NAT configuration, external malicious users can access only the IP address of the NAT host that is directly connected to the Internet. The users are not able to access any of the internal systems that go through the NAT host to access the Internet. When NAT is used to hide internal IP addresses (Refer to Figure), it is called a NAT firewall.Internal users communicate with outside networks through the NAT device such as NAT router (Refer to Figure). This NAT router has a routing table. This table keeps path of all connection requests that have come from internal network. Each outgoing request proceeds through NAT and replaces the internal users IP address with its own IP address. This IP address then forwards to the final destination. Returned packets look up in the routing table and forward the information to the correct internal user.8.7 Chapter Review Questions1. Which layer of the OSI model switches operate?(A)Physical layer(C)Network layer(B)Data link layer(D)Transport layerautonomic nervous system B2. Which layer of the OSI model router operates?(A)Physical layer(C)Network layer(B)Data link layer(D)Transport layerAns C3. DSL stands for ________.(A)Domain Subscriber termination(C)Digital Specific Line(B)Domain Specific Line(D)Digital Subscriber LineAns D4. What should you do to secure data on the hard drive if the drive is removed from the site?(A)Encr ypt the data(C)Archive the data(B)Compress the data(D)Keep strong password to log into all computers at the siteAns A5. Which is the most secure cable for implementing a secure network infrastructure?(A)Coaxial cable(C)Fibre cable(B)Twisted-pair cable(D)None of theseAns C6. What network topology area will contain public Web servers?(A)VPN(C)Firewall(B)VLAN(D)DMZAns D7. What network topology area will contain critical servers such as private Web servers, domain controllers or SQL servers?(A)Intranet(C)Internet(B)Extranet(D)DMZAns A8. What network topology area will allow business partners, customers to access the owners intranet?(A)Intranet(C)Internet(B)Extranet(D)DMZAns B9. Network access control is associated with which of the following?(A)NAT(C)IPv6(B)IPsec(D)NAPAns D10. The purpose of twisting the cables in twisted-pair circuits is to _____.(A)reduce crosstalk(C)increase bandwidth(B)increase speed(D)None of theseAns A8.7.1 Answers1. B2. C3. D4. A5. C6. D7. A8. B9. D10. ASummaryIn the chapter, Infrastructure Security, you learnt aboutDifferent types network devices such as Workstations, Servers, NIC, Hubs, Bridges, Switches, Routers, Firewalls, Wireless, Modems, Telecom/PBX, RAS, VPN, IDS, Network Access Control, Network Monitoring and Diagnostic and Mobile Devices.Different types of communication media between the devices such as Coaxial Cable, UTP/STP Cable, Fibre Cable and Unguided Media.Different types of removable media such as Magnetic Media, Optical Media and Electronic Media.Different types of security topologies such as DMZ, Internet, Intranet, Extranet, VLAN and NAT.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.